From: Eric Dumazet <eric.dumazet@gmail.com>
To: Tom Herbert <tom@quantonium.net>, davem@davemloft.net
Cc: netdev@vger.kernel.org, rohit@quantonium.net,
jchapman@katalix.com, g.nault@alphalink.fr
Subject: Re: [PATCH v2 net-next 2/2] kcm: Check if sk_user_data already set in kcm_attach
Date: Fri, 26 Jan 2018 13:07:58 -0800 [thread overview]
Message-ID: <1517000878.3715.61.camel@gmail.com> (raw)
In-Reply-To: <20180124203541.3172-3-tom@quantonium.net>
On Wed, 2018-01-24 at 12:35 -0800, Tom Herbert wrote:
> This is needed to prevent sk_user_data being overwritten.
> The check is done under the callback lock. This should prevent
> a socket from being attached twice to a KCM mux. It also prevents
> a socket from being attached for other use cases of sk_user_data
> as long as the other cases set sk_user_data under the lock.
> Followup work is needed to unify all the use cases of sk_user_data
> to use the same locking.
>
> Reported-by: syzbot+114b15f2be420a8886c3@syzkaller.appspotmail.com
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Signed-off-by: Tom Herbert <tom@quantonium.net>
> ---
> net/kcm/kcmsock.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> index 7632797fb68e..4a8d407f8902 100644
> --- a/net/kcm/kcmsock.c
> +++ b/net/kcm/kcmsock.c
> @@ -1410,9 +1410,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
> return err;
> }
>
> - sock_hold(csk);
> -
> write_lock_bh(&csk->sk_callback_lock);
> +
> + /* Check if sk_user_data is aready by KCM or someone else.
> + * Must be done under lock to prevent race conditions.
> + */
> + if (csk->sk_user_data) {
> + write_unlock_bh(&csk->sk_callback_lock);
> + strp_done(&psock->strp);
Although it seems psock->strp->stopped wont be set ?
We should hit WARN_ON(!strp->stopped);
next prev parent reply other threads:[~2018-01-26 21:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-24 20:35 [PATCH v2 net-next 0/2] kcm: fix two syzcaller issues Tom Herbert
2018-01-24 20:35 ` [PATCH v2 net-next 1/2] kcm: Only allow TCP sockets to be attached to a KCM mux Tom Herbert
2018-01-24 20:49 ` Eric Dumazet
2018-01-24 20:35 ` [PATCH v2 net-next 2/2] kcm: Check if sk_user_data already set in kcm_attach Tom Herbert
2018-01-24 20:52 ` Eric Dumazet
2018-01-26 21:07 ` Eric Dumazet [this message]
2018-01-24 20:54 ` [PATCH v2 net-next 0/2] kcm: fix two syzcaller issues David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517000878.3715.61.camel@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=jchapman@katalix.com \
--cc=netdev@vger.kernel.org \
--cc=rohit@quantonium.net \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).